Workgroup Bridge with older Cisco Accesspoints and new Mobility Express Releases

Since I just spent the better part of a weekend to finally get this working, here’s a nasty little bug that took forever to track down: Starting from 8.10.150.0 if you want some older Cisco accesspoints connect to your network in WGB mode, you need to tweak your security setting a little bit otherwise they just wont connect: “cannot associate: EAP authentication failed” is one of the various not exactly helpful error messages you’re probably very familiar at this point if you found this post…

Cisco actually points to it in their documentation, but of course that was the last place I looked at: config wlan security wpa akm psk pmkid {enable | disable} wlan_id

That is, if you want have a WGB connect to your wlan 3:

config wlan disable 3
config wlan security wpa akm psk enable 3
config wlan security wpa akm psk pmkid enable 3
config wlan enable 3

Once that’s set, just configure your WGB like you usually would – for example:

dot11 ssid yourssid
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii yourpresharedkey
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid yourssid
station-role workgroup-bridge
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding

With PMK ID set, a 2600 Series or even something as old as a 1131AG would connect like it’s supposed to.

Enable pci passthrough for QEMU/KVM

I have a couple older HP ProLiant DL360 Gen 6 and Gen 7 Server I want to use as virtual machine hosts with some PCIe devices mapped through to the guests running there, let’s say so they can directly access the Fibre Channel ports on the host or whatnot. Here’s how to do it (running Ubuntu 14.04 LTS that is, YMMV with other distributions):

  1. Edit your /etc/default/grub and add the intel_iommu=on boot option, it should look something like this (serial console for ILO enabled as well)
    GRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8 intel_iommu=on"
  2. Add the vfio module to the list in /etc/modules
    # /etc/modules: kernel modules to load at boot time.
    #
    # This file contains the names of kernel modules that should be loaded
    # at boot time, one per line. Lines beginning with "#" are ignored.
    # Parameters can be specified after the module name.
    lp
    rtc
    vfio
  3. Create a file like /etc/modprobe.d/vfio.conf setting the allow_unsafe_interrupts option for the vfio module.
    options vfio_iommu_type1 allow_unsafe_interrupts=1

    Otherwise you’ll get an error when trying to start a VM with a PCI device passed through: “failed to set iommu for container: Operation not permitted”
    Apparently the IOMMU interrupt remapping is kinda broken on this platform.

  4. Reboot your server and create a VM with one of your PCIe adapters passed through – it should show up just like if was a native device on a real, physical server.

Husqvarna chain-brake fix

Can’t get the cover on your Husqvarna chainsaw back on after working on your chain? Chances are you forgot to disengage the chain brake before removing the cover (it probably didn’t come off quite that easy, remember?) and now you’re stuck with a chainsaw you can’t reassemble without getting the chain stuck…

There are quite a few videos on YouTube with different methods on how to fix this, but most of them aren’t exactly easy or risk-free (it’s a quite strong coil with a lot of energy stored) and take way longer than they need to. Apparently Husqvarna even has a dedicated tool to do this… Well, here’s an easy 5-10 second fix that worked just fine for me on a Husky 135, once I figured out what the problem was:

  1. With the cover, blade and chain removed – move the brake handle forward into the “engaged” position.
  2. Put the cover in place and wiggle it (and the brake handle) a bit so the star-like metal piece slips into place, aligned with the notches on the brake handle.
  3. With everything aligned, pull the handle carefully back to disengage the brake, using the handle as a lever exactly the way you’d normally use it when working with your chainsaw. You’ll hear it click in place.
  4. Remove the cover again, attach the bar and put on the chain. Put the cover back on the way it’s supposed to work: without much resistance at all.

No disassembly of the brake required and certainly no special tool, only takes a couple seconds. Possibly even works without removing the bar and chain, though I haven’t tried it that way.

XMPP notifications for check_mk

Want to have your check_mk notifiy you via XMPP / Jabber if something goes boom? Here’s a little Python notification script which does just that…

You’ll need sleekxmpp installed, either via pip install sleekxmpp  or apt-get install python3-sleekxmpp  if you’re running Ubuntu.

Next, just add the script to check_mk by placing it here: […]/share/check_mk/notifications/xmpp

#!/usr/bin/env python
# Send Notifications via XMPP

import sleekxmpp
import sys
import os
import logging
import time

class SendMsgBot(sleekxmpp.ClientXMPP):
    def __init__(self, jid, password, recipient, msg):
        super(SendMsgBot, self).__init__(jid, password)
        self.recipient = recipient
        logging.debug("Recipient: %s" % recipient)
        self.msg = msg
        logging.debug("Message: %s" % msg)
        self.add_event_handler('session_start', self.start)
        self.connect()
        self.process(threaded=False)

    def start(self, event):
        self.send_presence()
        self.get_roster()
        self.send_message(mto=self.recipient, mbody=self.msg)
        logging.debug("Message send")
        self.disconnect(wait=True)

if __name__ == '__main__':
    logging.basicConfig(filename='/tmp/notifications.log', format='%(asctime)s %(levelname)s:%(message)s', level=logging.ERROR)
    logging.debug("Start")
    message = os.environ["NOTIFY_NOTIFICATIONTYPE"]+"\nHost: "+os.environ["NOTIFY_HOSTNAME"]+" - "+os.environ["NOTIFY_HOSTSTATE"]+"\nHost-Plugin-Output: "+os.environ["NOTIFY_HOSTOUTPUT"]+"\nService: "+os.environ["NOTIFY_SERVICEDESC"]+" - "+os.environ["NOTIFY_SERVICESTATE"]+"\nService-Plugin-Output:"+os.environ["NOTIFY_SERVICEOUTPUT"]+"\n-------------------------\n\n"
    if os.environ["NOTIFY_SERVICEDESC"] != '$SERVICEDESC$':
        message = "SERVICE"
    else:
        message = "HOST"
        message = message+"-"+os.environ["NOTIFY_NOTIFICATIONTYPE"]+"\n"+os.environ["NOTIFY_SHORTDATETIME"]+"\nHost: "+os.environ["NOTIFY_HOSTNAME"]+" - "+os.environ["NOTIFY_HOSTSTATE"]
    if os.environ["NOTIFY_SERVICEDESC"] == '$SERVICEDESC$':
        message = message+"\nHost-Plugin-Output: "+os.environ["NOTIFY_HOSTOUTPUT"]
    else:
        message = message+"\nService: "+os.environ["NOTIFY_SERVICEDESC"]+" - "+os.environ["NOTIFY_SERVICESTATE"]+"\nService-Plugin-Output:"+os.environ["NOTIFY_SERVICEOUTPUT"]
        message = message+"\n-------------------------\n\n"
        logging.debug("%s" % message)
xmpp = SendMsgBot("[email protected]", "yourpassword" , os.environ["NOTIFY_PARAMETER_1"], message)

Now call the script with the destination ([email protected]) you want notified as custom parameter from within check_mk and give it a try by triggering some alert.

(Originally from here, but last time I checked indentation was broken and the site mostly down)

Event Console not showing up in check_mk

After spending the last couple hours trying to figure out why the event console wasn’t showing up in my manually upgraded OMD/check_mk install (that is OMD 1.2 w/ check_mk 1.2.4p5 upgraded to 1.2.6b10) even though mkeventd is running – here’s what you got to do: manually copy the files from your check_mk source directory into the install director. The setup script does everything else for your, except that.

cd ~
cd check_mk-1.2.6b10/mkeventd.src
rsync -av web/* ~/local/share/check_mk/web/
sending incremental file list
htdocs/
htdocs/mkeventd.py
htdocs/images/button_mkeventd_hi.png
htdocs/images/button_mkeventd_lo.png
htdocs/images/icon_ack.png
htdocs/images/icon_clear.png
htdocs/images/icon_counting.png
htdocs/images/icon_delayed.png
htdocs/images/icon_mkeventd.png
htdocs/images/icon_resetcounters.png
plugins/
plugins/config/
plugins/config/mkeventd.py
plugins/icons/
plugins/icons/mkeventd.py
plugins/sidebar/
plugins/sidebar/mkeventd.py
plugins/views/
plugins/views/mkeventd.py
plugins/visuals/
plugins/visuals/mkeventd.py
plugins/wato/
plugins/wato/mkeventd.py

sent 210,421 bytes received 346 bytes 421,534.00 bytes/sec
total size is 209,125 speedup is 0.99

That’s it. WATO should now show the event console again and things like rule based notification will also work.

Eating with (really bad) aphthous ulcers

Aphthous stomatitis or mouth ulcers (aka canker sores) can be be a real pain in the ass, well, mouth – those 5-20% of people occasionally suffering from it know what I’m talking about. Especially if one happens to be at a spot your teeth rub against, or as it is currently the case for me, if a bunch of ’em cover pretty much your whole throat making swallowing food quite uncomfortable or downright painful.

Here’s a little gem that took me decades to figure out, even though it really is quite simple if you think about it: Instead of eating regular food, just switch to drinking your nutritional basics for a couple days. Bodybuilder and professional athletes have been doing it for decades to increase their daily intake and it works just fine for them. Lately, there’s even Soylent marketed to regular folks, but it’s basically not much different from so called meal replacement shakes that have been around since the last century.

Even though I currently can’t even eat cereal or soaked and soft muesli (granola for you american folks) without pain, let alone anything even mildly spicy or somehow granular grainy, downing a big jug of my own soylent-like mixture was no issue at all.

If you’re not really into the whole nutritional science, just go and order yourself some Soylent – it’s basically the one-size-fits-most of meal replacements. If you don’t live in the US or can’t be bothered to wait for a shipment (as probably you found this article because your throat/mouth/whatever hurts right now), go to your nearest supplier for bodybuilder or sports shop and get yourself meal replacement shakes and a shaker. Preferably a couple flavors, since you’ll be eating/drinking pretty much nothing else once you notice the distinctive lack of pain. And if they don’t have any pre-mixed meal replacement powders, just get some protein powder and something like (really finely ground) oatmeal or another form of carbs, like Maltodextrin. Put some water and/or milk in your shaker, add the right amount of powder, mix it up and your meal is ready.

Even if it’s unfamiliar and odd at first, you can live of that just fine – you’ll feel full and if you add some multivitamins, you’re body should have everything it needs to sustain you for another half a day or so, until the next shake. Hell, for some people out there it will probably be a better diet than they’re currently having.

Once your ulcers are gone, just switch back to your normal eating habits. Or stay with Soylent if you decide to actually enjoy it.

Maybe this will help some currently miserable folks out there – it sure did for me. You can thank me in the comments…

Cloudflare Universal SSL and WordPress

Cloudflare just rolled out their Universal SSL enabling pretty much any site to use SSL without any associated costs – which is pretty awesome…

But when using it on one of my test-sites, it turned out the site looks pretty much broken. Apparently WordPress doesn’t yet use protocol relative URLs, so CSS, JS etc. may still have a http:// prefix, causing some browsers not to load that content over an insecure channel. Furthermore, trying to access the WordPress dashboard results in an infinite loop, since the request from Cloudflare to your server is still HTTP and handled accordingly by WordPress.

The quick way to fix this is to simply add a few lines to woud wp-config.php

define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
if(isset($_SERVER['HTTP_CF_VISITOR']) && strpos($_SERVER['HTTP_CF_VISITOR'], 'https')) $_SERVER['HTTPS']='on';

And maybe install some kind of HTTPS plugin to get rid of the mixed-content warnings due to residual http:// content from other plugins.